I'm experiencing a very weird problem. I've successfully encrypted my root, swap, etc...
I've been running this machine for 3 months already. I haven't experienced any problems. However, today i try to extract a very large tar file. There's twelve 50 MB rar files within this huge tar file. There's also a checksum file that comes with the tar file in which it will validates all 12 of these large 50 MB rar files.
I've tried to extract these files many different times. Every time after I extracted these rar files from the huge tar file, I check it with the checksum file. And every single time, it gives errors but on different rar files.
The odd thing is, every time I extract from the tar file, different rar files gets corrupted. Therefore, i want to know if this has anything to do with encrypted file system, or is there something I might have done that may cause this error.
Just for the record, I run reiserfs on the loopback device backed by /dev/sdaX.

Best Regards,

I've tested it with other compression utils and compressing the same set of files and decompressing them on the encrypted file system:
ZIP/UNZIP: no corruptions
RAR/UNRAR: no corruptions
GZIP/UNGZIP: no corruptions
TAR/UNTAR: random corruptions on uncompressed files
TAR+BZIP2/UNTAR+UNBZIP2: random corruptions

I'm wondering if there's something special about tar/untar i have to worry about when i'm working with loop-AES encrypted file systems. Maybe someone experiences similar issues?

I get the same error when I try to boot from USB. I follow the guide abort gpg encyrption. And it works fin when BOOTDEV in build-initrd.sh is /dev/discs/disc0/part1 and boot is on the harddrive. But when I put me boot pation on me USB, and sets the BOOTDEV to /dev/discs/disc1/part1 I get the same error as Jeff. Have tryed the same as Jeff with pause no help.

PLS HELP

Fix the first problem now. Just put bootdev to /dev/discs/disc0/part1.

Now I got a new error, this is the output when I boot on me new initrd:

Someone in Gentoo Chat tipped me off to this warning in the help blurb for the 'cryptoloop' module:

Quote:

WARNING: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device.

Someone in Gentoo Chat tipped me off to this warning in the help blurb for the 'cryptoloop' module:

Quote:

WARNING: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device.

Is this something to worry about?

I dunno... AESLoop on Reiser4 has been working flawlessly.

Jeff_________________A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph CampbellKingfisherAthlon-XP: 2.6.7-love8-ck5 +nptl

Someone in Gentoo Chat tipped me off to this warning in the help blurb for the 'cryptoloop' module:

Quote:

WARNING: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device.

Is this something to worry about?

also reiserfs hasnt made any probs (at least in my case)_________________Linux: "Free as in free speech, not as in free beer"

Don't use a journaling file system on top of file backed loop device. Device
backed loop device can be used with journaling file systems as device backed
loops guarantee that writes reach disk platters in order required by
journaling file system (write caching must be disabled on the disk drive, of
course).

Um, as the creator of one of the first "How to encrypt root, etc" Howto's in these forums, and spending a LOT of time messing around with the loop device driver, loopAES, the cryptoAPI yada yada...

I recommend that people think about using the new device mapper based stuff instead and NOT loop device based stuff. Why? Because it is more righteous, because it works better, because it has a future, and MOSTLY because the whole loop device implementation is one huge ugly kernel hack. There are some dm-crypt how-to's in the Gentoo forums that tell you how to do it. TRY IT YOU WILL BE GLAD YOU DID.

The device manager is a layer of code in 2.6 kernels that lets virtual layers of block devices be created on top of real devices. It is used by stuff like the logical volume managers (LVM and EVMS). It is the RIGHT place to put filesystem encryption.

that sounds quite interesting besides ive never heard of it. maybe you can describe the whole thing more detailed or provide some links or even write a tutorial since you now best what you are talking about.
as i wrote at the beginnig of the tutorial, this is mainly the same like your old guide, its just more detailed and from time to time i added some extras but the core consists of your guide so it would be really nice if we could keep this up to date.

greets,
hulk_________________Linux: "Free as in free speech, not as in free beer"

I really liked your howto and this thread. I kind of lurk around sometimes and see what people are doing. You and watersb and steeledan and some other guys make this stuff cool and really make me think, so THANKS!

It is pretty trivial to make dm-crypt work on a encrypted root. Basically the idea is about the same as what Jari Rusuu did with loop-AES. That is to get a kernel loaded, put some stuff in a initrd that makes the real root file system mountable, mount it, and then chroot or pivot root to it. You can put the setup stuff in a program or a script and on ram device or on the boot partition (I like boot partition scripts better because it is lots more flexible and I can fix it easier when I mess up which I do alot).

There is a pretty close Gentoo dm-crypt howto that steeledan did here.

I used it as the starting point on my stuff. I haven't written everything down because usually I just keep hackin away until I understand it and then when I understand it I remember it, then I forget to write it down. I know that doesnt make too much sense but hey thats me! I will make another encrypted root system from the beginning sometime and will take good notes then and put it on here if anyone wants it.

The only tricky part is to make sure you have the libraries on the boot partition that are needed to run whatever is going to get the passphrase, cryptsetup, and mount to run (I put other stuff there too like libraries needed for vi so that I can fix stuff without having to boot up all of knoppix, heh).

Also, there is some good stuff on dm-crypt that Christophe Saout did here.

The thing about dm-crypt thats so good is that it runs as part of the device mapper layer. So it doesn't have to do weird stuff that fakes out VFS or has to worry about what order blocks are written to the disk (like if you are using an encrypted filesystem backed by a journalled file system), and doesn't get real messy with a bunch of kernel patches.

/dev/loop6 was still active - from when you used it to encrypt the partition - and you probably tried to use the same loop device in your /etc/fstab to mount the newly encrypted partition. I bet if you would have done a

ps aux | grep loop

before rebooting you would have seen [loop6] in the output.

Next time try

losetup -d /dev/loop6

to release the loop device before mounting.

echto

yottabit wrote:

Can't seem to figure out how to setup swap part with GPG key. I've done this:

Code:

losetup -e AES256 -K /mnt/floppy/rootkey.gpg /dev/loop6 /dev/hda2

I guess this encrypts /dev/loop6 -> /dev/hda2 to my GPG key. It asks for my password, so I guess it worked.

And then I've made the guide-recommended changes to my /etc/fstab, but when I mount /dev/hda2 I get this:

- get the latest util-linux (at the moment it is util-linux-2.12) from a gentoo mirror or from kernel.org.
util-linux is also in the portage tree but you have to patch util-linux and i dont know if the ebuild of util-linux contains an entry for the patch. haven't tried it yet but you can try it.

[...]

- extract the util-linux archive into the /tmp/enc/loop-AES-v2.0d/ directory and cd into it (cd /tmp/enc/loop-AES-v2.0d/util-linux-2.12/)
- then type the following commands:

i have some problems with the step where one shoot use a knoppix cd to boot and then encrypt its partitions.
Shouldn't this boot cd have loopaes support included or how is it possible to encrypt with a "knoppix cd".
Do I have tu use a special version of knoppix cd?
Is disc encryption with loopaes (with current patches available on such an "knoppix cd" ?)

Had this one right now. A world update is was the problem. There is a new use flag "old-crypt". Add it to your make.conf, then

Code:

# emerge util-linux

After that you'll find a new mount command for mounting your cryptoloop drive in /sbin:

Code:

# mount-old-crypt /mnt/crypt

Read the util-linux ebuild for more infos:

Quote:

* This version of util-linux includes crypto support
* for loop-aes instead of the old cryptoapi.
* If you need the older support, please re-emerge
* util-linux with USE=old-crypt. This will create
* /sbin/mount-old-crypt and /sbin/losetup-old-crypt.

Recently I had some problems making loop-AES 3.0b work with kernel 2.4.27. It seems that you need to remove the loop.o and loop.h files from the kernel in order to make losetup work during the boot process.

The loop.o file can be found in linux/drivers/block inside the kernel source and loop.h in include/linux.

Maybe an idea to put this in the tutorial? Saves some people alot of headaches

I just finished encrypting my / partition and now when I boot it says my password is no good. I figured it might be a keymap issue so I went back and enebled the keymap option using knoppix. I also copied the default.kmap to /boot as instructed in the build.something script (I forget). Now when I boot it says